Do’s and don’ts for a successful internal phishing campaign
1. Arm your employees against phishing
The danger behind the ever-increasing phishing barrage
No (cyber)security solution advertises one hundred percent protection. This is only logical: antivirus software and other protection measures try to offer an answer to the latest tricks that inventive hackers pull out of their hats. Security therefore always lags a little behind the newest threats. However, the greatest danger does not always come from ultramodern attack techniques or zero-day leaks.
In reality, hackers are just people, looking for an easy way to make a quick buck. They, therefore, look for the weakest link in any cybersecurity system: people. Then they set their sights on places where there is money: companies.
There was a 61% increase in the rate of phishing attacks in the six months ending October 2022 compared to the previous year (CNBC).
A small mistake, paid for dearly
The ball lies in the businesses' court: it is up to companies themselves to train their employees and make them aware of the dangers of phishing. This way, you get an interaction where on the one hand, people on the work floor actively cooperate to create a safe company environment, and on the other hand, the acquired knowledge arms them against fraudsters in their private lives as well.
The idea is not new: in the United Kingdom, employees have already been receiving relevant training and support since 2018. The Minimum Cyber Security Standard (MCSS) that the country implemented for UK organisations, requires them to establish a culture of cyber awareness.
And in Europe, the new Network and Information Systems directive (NIS-2) was recently accepted. As of 2024, companies and suppliers from key industries will have to dramatically strengthen their cyber resilience and be able to demonstrate that they are actively and consistently creating cyber security awareness. Members of management will even be obliged to follow specific security awareness training.
Testing, not bullying
As an organisation, you shouldn't wait on rules and obligations issued by any government: besides investing in extensive and up-to-date cybersecurity infrastructure, you can also raise your employees' awareness of cyber threats. At Phished, we specialise in this; we already rolled out internal phishing campaigns and offered specialised training courses to, among many others, Kinepolis, University of Antwerp, AG Insurance, Studio 100 and Aperam. We confront employees with realistic-looking attacks and provide context so that people are prepared when they come face to face with the real deal.
In this white paper, we highlight the most important do's and don'ts that you can use as a guide for a successful training programme for your own employees. A carefully planned campaign is invaluable, but a poorly thought-out approach can do more harm than good.
We can already reveal one golden rule: your employees must take something away from the test(s). They should never feel that they are being bullied or targeted, especially when they simply need more guidance. Testing is the message, not bullying!
2. How big is your phishing problem, really?
Baseline measurement for shock effect
What is the actual state of cyber awareness within your company? To create a successful training program, you need to know not only where you want to go, but also where you are starting from. That is why a baseline measurement test is so important: it is the very first test that confronts your employees with the state of affairs. The goal is to get a clear picture of the general level of knowledge.
Split the test into two components:
How to get started?
Do: warn your co-workers in advance of an incoming test
The first time an internal phishing campaign is launched, many people are guaranteed to fall for it. On average, we see that up to 50 percent of the employees allow themselves to be caught, even when they know that something is coming. People realise the extent of the problem faster when they see how quickly they can be fooled by phishing. By communicating about the phishing simulation in advance, you also have a stronger case to defend your plans for a training program.
Do: repeat the simulation a short while later, but make it more difficult
Pull out all the stops. For example, choose an email with typosquatting, where the sender's name or the link used looks very much like that of a trusted organisation, apart from a typo. In this mail you can use internal knowledge, with references to things that only colleagues (or hackers with access to their mailbox) can know. You will notice that despite the increased difficulty, the result is better than during the first test.
Do: warn a colleague if you’ll be sending a phishing email in their name
While this technique is definitely worth a test, make sure that the person indirectly involved is not taken by surprise. We see that people usually like to be part of an educational conspiracy. Although, of course, you have to choose someone who can keep a secret.
After the tests, it is time to analyse the results in depth. Which of your organisation's weaknesses come to the fore? Are there teams or departments that need extra training? Do more people fall for simulated phishing mails when they open them on their mobile phones? With this knowledge, you can take concrete action!
Don't: make your first phishing simulation too difficult
Choose a simple email that allegedly comes from a colleague - LinkedIn is a fantastic source for this. Do not immediately start sending emails containing references to internal company knowledge or using the known company layout. A simple first simulation will already make enough victims and shows the need for further testing.
Don't: try to persuade people to click on something with the promise of a reward of a bonus
While you could promise extra money in your phishing mail as bait, this is not a good idea. Yes, people will click much faster indeed, but when they learn that your email was just a phishing test and the bonus does not exist, your people will lose the motivation to learn. Criminals are not averse to similar tactics, but you want to keep your employees on your side. So, keep it clean, or be prepared to bear the negative consequences.
3. What do you want to accomplish?
Onwards to 0 percent?
With the baseline measurement results in hand, you know where you stand. Now it is time to determine where you want to go with your business. How quickly and how intensely you want to build awareness, varies from company to company. Typically, CISOs and IT managers set a click-through rate of less than 5 percent as a goal, and they want to have achieved that after one year.
How do you choose the right objective?
Do: set a realistic goal
No one is infallible, so don't expect your entire organisation to reach zero percent. With good and thorough training, you can already avoid a catastrophe. If someone does get seduced into an inappropriate click, then thanks to the complete training program, the entire organisation knows exactly how to react.
Do: communicate transparently about the results of your simulated phishing campaigns
Let people know how many employees have been caught out but realise that anyone can fall for it. Even at Phished, where we work on phishing every day, colleagues sometimes get caught by surprise. Make sure everyone knows what the objective is, so you can work towards it as an organisation.
Don't: punish people for clicking on a simulated link
Awareness takes time and not everyone learns as quickly. Choose a positive story with a focus on support and give people the time they need to grow.
4. Step by step to a safer company
The ultimate goal is to make your company safer and arm your employees with a healthy suspicion, in order to create a cybersecure work culture. Four factors contribute to the growth of your employees: frequency, personalisation, training and engagement.
Repetition, repetition and more repetition
How quickly the level of knowledge within your company increases goes hand in hand with the intensity of the training. It's not rocket science: the more often you run phishing simulations, the fewer people will fall for them by the end of the year. If you choose to use our algorithm to send out a phishing simulation only once every 90 days, you will see the phishing percentage drop to less than 13 percent. Usually, companies choose a more intensive approach with a simulation every 15 days. This does not fail to produce results: it lands you below the 5 percent mark. With a simulation every 5 days you can even get the figure down to 1.5 percent.
Do: plan simulations regularly
It is not enough to work with an ad hoc approach and only send out simulations when you think about it. You have to test regularly: frequency and result go hand in hand. Setting up and sending out e-mails yourself takes up a lot of time. So, choose a tool that automates the work.
Don’t limit yourself to one test per year
We notice that an annual simulation has little to no effect in the long run. Figures show that even a thorough cyber security training is forgotten after 6 months. So, repetition is the message.
Personal touch
Don't fool yourself: everyone is susceptible to phishing. From the head of a hospital department to the cleaning crew, from the dean of a university to the receptionist, even from the IT specialist to the digital illiterate: everyone is a target and everyone can get caught. Of course, this is not possible with generic e-mails; therefore, anticipate personal pitfalls. Your marketing colleague might be a little too quick to click on a Facebook simulation, while your accounting friends won't think twice about a professional-looking email about late payments. That's why it's important to test employees with emails tailored to them.
Do: test people in different ways
Test people with different topics and possibly even at different speeds. Approach the simulations with a personalised approach and surprise departments. This way, you will have the greatest impact on their way of working and thinking.
Don’t: limit yourself to company-wide simulations
Colleagues will quickly inform each other when they find out what is going on, and that ruins the simulation. An occasional test in which you present the same content to everyone is fine, provided that you alternate such tests with more personalised campaigns.
Phishing simulations are not enough
Phishing simulations are a great way to enable your employees to spot real threats, but they are only a first step towards a safer, better protected organisation. Because awareness alone is not enough, it has to be part of a holistic approach. It is important to offer your employees a complete training that covers a wide range of cybersecurity topics. Teach them how to handle every type of threat through time-efficient, frictionless microlearnings.
Do: choose fun and interactive training
Your employees don’t care for Netflix-like libraries filled with videos that aren’t actionable. Teach them what to do when things really go wrong and motivate them using proven techniques from gamification such as nudges, rewards and certificates
Do: use locally relevant content
While educating on the dangers of end-of-year shopping revolving around the Christmas period is globally relevant, modules on public holidays such as Cinco De Mayo or 4th of July in the USA do not work in Europe.
Don’t: require your high-performing employees to participate in tests that are too easy
They do have their use for people who might learn a bit slower, so don't lump your entire workforce together. Everyone follows their own learning path.
Together against the AI
The cyber awareness training at Phished is powered by our own proprietary AI, which sends phishing simulations to individual employees fully automatically. This appeals to the imagination: employees see that they are being tested by AI and immediately feel motivated to show that they are smarter than the robot on the other side.
This is how phishing lives within an organisation. Around the coffee machine, colleagues talk about the phishing mails the algorithm sends their way. They feel they are fighting a common enemy and are proud when they detect an email and report it. This dynamic drives awareness.
Do: give your co-workers the opportunity to report simulations
This gives them an active role in the process. An additional advantage: colleagues will also automatically report real spam as well as phishing emails, giving the company's cybersecurity attitude an extra boost. We call this involvement activation.
Sil Goeman - Bringme
IT manager
We currently get reports on 40% of sent phishing simulations. It works: it makes us report real spam as well. As a result, pressure on the service desk is relieved enormously.
Don’t: make the training campaign too non-committal
The simulations and training work best when everyone feels involved and understands the company's philosophy. Everyone really means everyone: from C-level to assistant.
5. Reporting and learning
Results under a microscope
By testing, training and activating employees, you already go a long way. However, there is still a final pillar missing for a robust cyber awareness strategy: reporting. Which simulations work best? Which recipients or departments could benefit from extra sensitisation? Through reporting, you expose the weak spots within your organisation, so that you can stay one step ahead of real hackers.
For instance, we regularly find that most recipients get caught out when they open an email on their smartphone. Such information is valuable because you can capitalise on it with a specific training module.
Do: communicate phishing rates transparently to management
Reporting can be very useful to prove the ROI of your phishing campaign. You can show what the learning curve of employees looks like by using concrete figures and results.
Do: communicate openly about phishing rates towards the entire organisation
We touch on this practice again, because it is so important. Via API integration, for example, you can quickly share figures - anonymised if necessary - internally via the intranet or on internal screens. That visibility again contributes to awareness throughout the organisation.
6. Conclusion by ethical hacker Inti De Ceukelaire (Intigriti)
Recognising that you are vulnerable is the first step to mitigating risks.
The main argument for people not to get involved in anti-phishing training - "it will never happen to me" - is invalid: everyone is susceptible to a well-executed campaign.
Inti De Ceukelaire - Intigriti
Even as a cybersecurity expert, I am not ashamed to say that I have clicked on a phishing email.
Everyone regularly experiences less vigilant moments, which is exactly why continuous testing is important. Cybercriminals don't wait until the first coffee has been consumed or until you have completed your annual awareness training. Every training course you take will be outdated the very next day, because rogue hackers are constantly using new techniques and methodologies to make their traps more realistic and up to date.
Recent data breaches at Facebook and LinkedIn, among others, teach us not only that attackers have huge databases on which to base their phishing campaigns - and which help them make them credible - but also that they need little more than a simple scraping tool to convincingly target people. In just a few seconds, a hacker is able to trap anyone.
To counter new attacks and prevent catastrophic scenarios, we must learn to recognise patterns in order to build up a permanent vigilance. This can only be done by providing an ongoing training for our employees; one that is as agile as the growing cyber threat.
Do’s: How to successfully tackle an internal phishing campaign
Don'ts: How not to handle internal phishing campaigns
Who is Phished?
Phished offers a holistic approach to your employees’ Security Awareness Training. Because awareness alone is not enough, it is important to offer them a complete training that covers every base.
Using four pillar features, your organisation’s security awareness and behaviour accumulate in the Phished Behavioural Risk Score™ (BRS).
- Phishing & Smishing Simulations: send personalised phishing simulations without manual intervention
- Active Reporting: stop phishing threats with the click of a button
- Training Sessions & Checkpoints:change behaviour with short and snackable microlearnings
- Threat Alerts: warn your employees if incidents are taking place in both the employee's professional and private networks